Turla, Sofacy and APT29 they are some of the most sophisticated and well-known groups Advanced persistent threat (APT). These actors are part of the broader framework in which Russia is today one of the strongest forces in cyber warfare. aim to carry out computer espionage globally.
Thanks to the advanced tools, unique approaches and solid infrastructure available to them, they are able to perform large and complex operations involving various military and government agencies in Russia. The country is known for conducting a wide range of operations in the last three decades cyber espionage and sabotage.
Starting with the first known attacks, such as the Messenger Maze, in 1996, going through the Pentagon in 2008, the Kiev Eclipse in 2016, hacking into US elections in 2016, and to some of the largest and most notorious computer attacks in history – targeting the whole country with the fingerprint of NotPetya software.
In fact, numerous Russian operations and malicious families have been publicly reported by various security providers and intelligence organizations, such asFBI andEstonian Foreign Intelligence Services, illuminating specific Russian actors or operations, but the overall picture remains confused.
The fog behind these complicated operations has made us realize that, although we know a lot about individual actors, we lack a general framework, actors' interaction (or lack of interaction) and tactics, techniques and procedures (TTP). The search therefore revealed some of this information.
During this research, Check Point and Intezer experts analyzed some 2,000 copies attributed to Russia and found 22,000 links between the samples and 3.85 million non-unique pieces of code shared. Experts have classified these samples into 60 families and 200 different modules.
ATP in Russia, all you need to know
- In most cases, Russian actors do not share the code between them. While each actor repeats his code in different operations and in different malware families, there is no single tool, library, or reference framework shared between the different actors.
- Every actor or group under the umbrella of Russian APT has its own dedicated malware development teams, working for years in parallel on similar malware tools and frameworks. Knowing that many of these tools serve the same purpose, it is possible to identify some redundancies in this parallel activity.
- These results may indicate that Russia invests heavily in operational security. By avoiding different groups using the same tools for multiple purposes, the risk of compromised operation exposing other active operations is eliminated.
- They were able to check the relationships previously reported between different families, thanks tocode similarity analysis.
- Several tools will be released for use by the research community, such as an interactive map of the links between dozens of Russian APT families and their components and a tool based on host scan signature or file against pieces of code most commonly used by Russian APT.